Cyber Offensive

Building a bullet-proof IT system is harder than you think.By Robert J. Derocher | Fall 2016

So you want a super secure IT system, one that provides around-the-clock protection from hacks, attacks and viral invasions? Good luck.

“The unfortunate truth is that it’s just not possible to be 100-percent secure,” says Lillian Ablon, an information scientist at the RAND Corporation, and a professor at the Pardee RAND Graduate School. “The best we can do is to make it costly for the attackers—in terms of time, money, resources, personnel and effort.”

While that may not be the comforting statement you were looking for, Ablon and other cybersecurity experts agree that foolproof security is a fallacy. That said, not spending the time and resources to make your computer systems as secure as possible is, well, foolish. A well-developed plan that deters inside and outside IT threats—as well as detailing what to do in an eventual breach—is a must for even the smallest of CPA and financial services firms, they say.

Although the task might seem insurmountable in this age of internationally leaked emails, threatening computer virus-es and daring cyber heists, there are four key steps you can take to mitigate risks.

Step 1: Security check

First, get a good handle on just what you have and how safe it is. “You have to understand what your most critical assets are. What are the things you have to do to stay in business?” says Summer Fowler, technical director for the Cybersecurity Risk and Resilience Directorate at the CERT Division of the Software Engineering Institute, Carnegie Mellon University. “It’s surprising how few organizations understand their most critical assets.”

Developing a data classification policy that clearly defines the data you have, its value and where it should be protected—and then establishing a priority system for protection—is essential to a solid IT protection system, explains Tim Erlin, senior director of IT Security and Risk Strategy for Tripwire, an IT software security firm.

“You need to do a risk assessment to see what matters the most,” Ablon adds. “‘Who would pose the most threat? What do they want? What happens to my company if they get there?’”

For accounting and financial firms, it starts with developing a vulnerability policy that protects clients’ confidential financial information, says John Pouey, an IT specialist in the financial field with more than 15 years experience in IT audit, information security and risk management. Pouey also serves as a volunteer with the Greater New Orleans Chapter of ISACA, the international association for IT security, assurance, risk management and governance professionals.

Training employees on everything from password protection to turning off unattended computers, recognizing malware, spotting scams and avoiding suspicious attachments is a critical part of low-tech IT protection, Erlin adds. “It has to be consistent,” he says of employee training. “These threats do change.”

One way Pouey likes to test employees is to use online programs that send suspicious emails, such as phishing scams, to help them recognize potentially dangerous outside system attacks. Employees are encouraged to hover over a link before opening it and to look for common hacker signals, such as misspellings and a sense of urgency in the messages.

“We would rather they fail with us than get hit with some ransomware,” he says. “If it’s not expected and there’s an attachment, and it’s from the outside, be extra careful.”
Pouey cautions not to underestimate the role of employees, who are often the first line of defense in attempted system hacks. “Train, train, train is probably the best device out there,” he says. “Repeat-ed awareness really drives the point home.”

There’s also a growing number of higher-tech tools to help companies fend off system attacks, Pouey adds, including automated malware protection software, data-loss prevention and detection tools, email monitoring tools, and automated scanning programs that spot viruses and vulnerabilities and offer fixes. Penetration testing, which simulates cyberattacks, also helps companies spot weaknesses in their systems.

It’s not just external attacks that companies must fret over, however; ensuring that employees, ex-employees and other insiders can’t exploit IT security weaknesses is mission critical. Policies should be in place to guarantee that employees can access only the systems they need, and that such access is closely monitored—particularly at times when an employee’s job changes, or they are terminated.

“Access control needs to be dynamic,” says Ablon. “It’s probably not a good idea to have one username and one password to access all files, and to not change them.”

Step 3: Respond and recover

So, the inevitable happens and your company’s IT system is compromised: What’s your course of action? Surprisingly, many companies don’t have a plan in place to ensure damage is confined and, just as importantly, the company can continue to operate.
“There needs to be an incident response plan, and it needs to be corrective,” Pouey insists. “It’s your safety net to limit the damage.”

One of the key words in a response plan is “resilience,” says Fowler. Many companies tend to focus more on the threats rather than building up a resilient response to problems. Balancing those demands can be challenging—particularly in the face of high-profile hacks and viruses—but “the threat will change much more quickly than the impacts,” she says.

For Erlin, an effective response plan includes a list of immediate technological steps to take to stem problems; a communication plan that lists personnel roles and responsibilities, as well as how employees and customers should be notified; a plan for contacting law enforcement and other authorities; and steps to ensure all backup programs are running and up-to-date.

Step 4: Get it done

Erlin and other IT security professionals agree that when the time requirements and financial obligations are examined, many companies—particularly solo and small-firm practitioners—can find that the overall task of IT security, from planning to implementation, is daunting and a distraction from their bread-and-butter work. Increasingly, they say, IT security firms can be called in to help.

But selecting the right vendor—one that’s willing to work with you and not just drop in low-cost tech tools—is critical. “The resources are out there, but no third party is going to understand what is most critical for your organization,” says Fowler. “You can’t blindly turn it over to someone else.”

Ultimately, today’s IT environment requires investment to protect yourself, your reputation and your business. “Cybersecurity spending is a cost. It’s not bringing in revenue,” says Ablon. “But if you don’t spend it, you may have a different and more inconvenient cost to deal with.”